January 5, 2017
On December 28, 2016, the New York State Department of Financial Services ("DFS") updated its proposed cybersecurity regulations for financial services companies. The originally proposed regulations, issued in September 2016 and outlined in our prior alert, were a sweeping effort by the New York state banking and insurance regulator to impose certain cybersecurity requirements on a broad set of regulated institutions. The original proposal engendered widespread criticism. Certain provisions in the revised regulations have been changed in response to comments on the original, but other aspects of the regulations–including some that were extensively criticized–remain unchanged in whole or large part. The updated proposal is again subject to a 30-day notice and public comment period, in which DFS has said it will focus on new comments not previously raised. The proposed regulations are scheduled to go into effect March 1, 2017, with longer periods allowed for compliance with certain aspects of the regulations, as explained below.
One of the major critical themes of the over 150 comments DFS received on the original proposal targeted the broad applicability of the regulations to all but the very smallest financial services companies. DFS rejected this critique, and the proposed regulations still would apply to all companies "required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law or the financial services law." As such, the proposed regulations would continue to apply to a wide swath of financial institutions, including state-licensed banks, savings banks, savings-and-loan associations, private bankers, insurance providers, virtual currency providers, money transmitters, licensed lenders, mortgage companies, and state-licensed offices of non-U.S. banks. Only very small institutions with fewer than ten employees, less than $5 million in gross annual revenue in each of the last three years, or less than $10 million in assets are exempt from certain requirements–but they still must certify that they qualify for the exemption.
The most notable change in the proposed regulations is the incorporation of expanded transition periods for regulated entities to come into compliance. Originally, regulated entities were to have 180 days from January 1, 2017 to become compliant with all provisions. Now, compliance within 180 days of March 1, 2017 would be required for certain provisions, including mandates to:
Regulated entities now would have one year from March 1, 2017 to take additional steps, including:
In addition, regulated entities now would have eighteen months from March 1, 2017 to implement a third set of requirements:
Finally, regulated entities now would have two years from March 1, 2017 to establish written policies and procedures to ensure the security of data that is accessible to or held by third-party service providers.
Other modifications allow for more flexibility in the implementation of the originally proposed regulations based on the results of the risk assessments that must be performed by covered entities. For example, instead of universally mandating vulnerability assessments on a quarterly basis, the revised proposed regulations now allow covered entities to conduct monitoring and testing developed in accordance with their risk assessments. Risk assessments, too, must be performed only "periodically" under the revised proposal, rather than annually. Such flexibility presents a potential trap for the unwary, however: the U.S. Department of Health and Human Services ("HHS"), which also emphasizes the importance of managing cybersecurity risks uncovered during periodic risk assessments, has repeatedly penalized entities it regulates based on the failure to perform what it considers to be thorough risk assessments. Having modeled many of the requirements of its proposed cybersecurity regulations on the HIPAA Security Rule enforced by HHS, DFS appears poised to pursue a similar enforcement strategy.
Importantly, DFS now has added a materiality requirement to the breach reporting requirements in the proposed regulations. Under the original version of the proposed regulations, covered entities would have been required to report to DFS, within 72 hours, "any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System." As noted in our alert on the original proposed regulations, this requirement could have triggered an avalanche of required reports related to unsuccessful attempts to access sensitive information. The current version of the proposed regulations modifies this provision to require notice of such acts or attempts only if they "have a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity," or are otherwise required to be reported to any "government body, self-regulatory agency or any other supervisory body." This latter catch-all would include, for example, the breach notifications that companies must provide to state regulators under other state breach notification laws. The proposed regulations maintain the 72-hour reporting period, but change the trigger for the beginning of this period to the point when the company determines an incident is reportable, rather than the cybersecurity event itself (which was the potentially unworkable trigger in the original regulations). This 72-hour period for the notification obligation is notable for its specificity and may suggest a future enforcement focus for DFS.
Other important changes include a narrowed definition of the term "nonpublic information," which is used to trigger certain obligations under the regulations. The original proposed regulations defined "nonpublic information" to include "any information that can be used to distinguish or trace an individual’s identity." The revised definition is more specific, and thus has been narrowed, such that information is "nonpublic" if it is about an individual, such as a "name, number, personal mark, or other identifier [that] can be used to identify such individual," and is combined with enumerated sensitive data, specifically "(i) social security number, (ii) drivers’ license number or non-driver identification card number, (iii) account number, credit or debit card number, (iv) any security code, access code or password that would permit access to an individual’s financial account; or (v) biometric records." Among other things, this modified definition better identifies core sensitive material, and for purposes of the proposed regulations, the modified definition limits the scope of information that must be encrypted or otherwise protected while in transit and at rest.
The revised DFS regulations reflect an attempt to provide more time and flexibility for regulated entities to come into compliance. However, the revised regulations still would impose significant new requirements on a broad range of companies. Meeting the requirements will require careful planning, the importance of which is compounded by the potential for investigations and enforcement actions for noncompliance. Companies potentially affected should review the proposed regulations and assess their cybersecurity policies, procedures, and practices for compliance.
 See Gibson Dunn Client Alert, New York State Department of Financial Services Announces Proposed Cybersecurity Regulations (Sept. 19, 2016), available at http://www.gibsondunn.com/publications/Pages/New-York-State-Department-of-Financial-Services-Announces-Proposed-Cybersecurity-Regulations.aspx.
 A copy of the proposed regulations may be found on DFS’s website at http://www.dfs.ny.gov/legal/regulations/proposed/rp500t.pdf.
The following Gibson Dunn lawyers assisted in the preparation of this alert: Alexander Southwell, Eric Vandevelde, Ryan Bergsieker and Melissa Goldstein.
Gibson Dunn’s lawyers are available to assist with any questions you may have regarding these developments. To learn more about these issues, please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any member of the firm’s Privacy, Cybersecurity and Consumer Protection practice group:
Alexander H. Southwell – Chair, New York (+1 212-351-3981, firstname.lastname@example.org)
M. Sean Royall – Dallas (+1 214-698-3256, email@example.com)
Debra Wong Yang – Los Angeles (+1 213-229-7472, firstname.lastname@example.org)
Howard S. Hogan – Washington, D.C. (+1 202-887-3640, email@example.com)
Joshua A. Jessen – Orange County/Palo Alto (+1 949-451-4114/+1 650-849-5375, firstname.lastname@example.org)
Shaalu Mehra – Palo Alto (+1 650-849-5282, email@example.com)
Karl G. Nelson – Dallas (+1 214-698-3203, firstname.lastname@example.org)
Eric D. Vandevelde – Los Angeles (+1 213-229-7186, email@example.com)
Michael Li-Ming Wong – San Francisco/Palo Alto (+1 415-393-8333/+1 650–849–5393, firstname.lastname@example.org)
Ryan T. Bergsieker – Denver (+1 303-298-5774, email@example.com)
Richard H. Cunningham – Denver (+1 303-298-5752, firstname.lastname@example.org)
© 2017 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.